Cyber Risk Aware Blog

5 Best Practices for Your Security Awareness Training

[fa icon="calendar"] 04-Jan-2018 08:00:00 / by Stephen Burke

Stephen Burke

Implementing a security awareness training program may seem like a big challenge, particularly in an organisation which has never utilised such training before. There are many potential topics to cover and numerous ways to cover the topics.

While there is no such thing as a "one size fits all" security awareness training initiative, there are best practices one can implement to help focus your efforts. Our Cyber Risk Aware team has highlighted some of the most important points.

Security Awareness Training Best Practices

1. Emphasise the personal human nature of cyber-security.

This is something we occasionally see in companies which have invested in many software and hardware security solutions - they become overconfident, and that overconfidence filters down to their workforce. It becomes easy for a worker to say, "I don't have to worry about security; there's a €20,000 firewall keeping us safe."

If there's one fact that should be emphasised above all in your security training, it's this: Over 90% of successful intrusions involved human error. Every person at your training sessions is going to be more personally responsible for security than even the priciest piece of hardware.

If your training doesn't manage to impart anything except that fact, the training is not correct. you're still ahead of the curve.

2. Deliver Small Quantities More Often

Traditional eLearning and competitors training content has tended to last 30-40 minutes and tried to cover as many topics as possible using dull and boring content. Staff really dislike being subjected to this torture and organisation cyber security has suffered as a consequence.

Delivering highly engaging content that staff can put to use right away in work or at home is a game changer. Delivered throughout the year and which only takes a few minutes to complete is proven to be highly effective in raising staff awareness. Training departments no longer need to be chasing staff to take the training as staff are taking it by themselves because they can use it right away but also because it does not get in the way of their day job.

3. Include real-life simulations and/or roleplay.

Sterile classroom education is not particularly effective in developing the right cyber security minded culture within an organisation. It is important to make your education programme as real as possible and this is where simulations of phishing or other common attack types to reinforce the policies and procedures you're teaching come into play. By delivering these simulated attacks to the person’s desk you see how they react in their normal environment and depending on their responses you can deliver very targeted additional training to address any weak points immediately. This has a significant impact on the effectiveness of your training because for the user they now realise that it is in response to their behaviour and they should understand the real and immediate relevance of it. This is a powerful way to get over the general cynicism that many employees have towards training and education on topics they are not directly interested in.

4. Spend a lot of time on mobile device security.

If "social engineering" style scams are the most common way to subvert security systems via the workforce, compromising mobile devices isn't far behind. Your workforce needs to understand just how easily a mobile device can be used against the company, particularly if you utilize "Bring Your Own Device" policies rather than having company-issued devices.

Among the topics to cover:

  • Protected data is never ever to be put onto mobile devices without prior authorisation.
  • Mobile devices are always passcode-protected and preferably using multi-factor authentication.
  • Mobile devices should be enrolled and managed in a mobile device management (MDM) solution to enforce security standards and company policies
  • The need to avoid dodgy websites or social media messages/content that could insert malicious code onto devices via routes like JavaScript or banner ads.
  • Policies for reporting lost/stolen devices ASAP and disabling any access they might have.

5. Testing is at least as important as learning.

Always make testing and examinations a key part of your training initiative. Workers may grumble, but it's the only way to see just how much of your training is sinking in. Don't only track results among the workforce, either. Track your own effectiveness, so you can keep designing better training programs!

Cyber Risk Aware is all about Human-Centric Security

Our affordable and easy-to-use software solutions make it simple to develop training programs, test your workers, and conduct simulated attacks. Contact us to learn more.

Stephen Burke

Written by Stephen Burke